Bug Description

set reauthentication_auth_method =trusts

heat stack-create sahara_cluster -f sahara_cluster.yaml

sahara-engine came into error when to get image, with following error:
Forbidden: You are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403)

The error log is very clear, heat passed trust scoped token to sahara.
Setting "reauthentication_auth_method =trusts" works well for other components but sahara.

Luigi, this problem affects us from mitaka to stable/pike at least. I don't have master branch to test it right now.
This env is latest RDO deployed by packstack. and the sahara.conf is the default value without any change.

This is not allowed in keystone token method. The original is described in this way : 'Do not allow tokens used for delegation to create another token, or perform any changes of state in Keystone. To do so is to invite elevation of privilege attacks'
There are two possible solutions without changing the heat configuration :
1. Sahara uses HTTPclient when building other components of client.
2. When building other components client, add auth_ref.

This is not allowed in keystone token method. The original is described in this way : 'Do not allow tokens used for delegation to create another token, or perform any changes of state in Keystone. To do so is to invite elevation of privilege attacks'
There are two possible solutions without changing the heat configuration :
1. Sahara uses HTTPclient when building other components of client.
2. When building other components client, add auth_ref.

The problem will have a new problem after it is repaired. Sahara uses heat_trust_token to create new trust. The heat_trust_token`s redelegation_count==0 causes 403 errors.
problem analysis :

Hi Rabi, AFAIK reauthentication_auth_method =trusts was introduced in[1] to defeat token expiry by reauthentication. So if set reauthentication_auth_method = "", the long-running stack creation will be failed by token expiry? Could you help explain it?

Yeah, that's in heat (we use trusts auth plugin with keystone session which would request for another token if the token expires(401][1]. But if sahara uses heat provided trust token to again request for a token, then it would fail.

Rabi, thanks for your comment.
From the link you pasted[1], The re-authentication happened in keystone that looks like working for all kinds keystone session(not only trusts auth plugin but also [2]). If that we could leave reauthentication_auth_method = ""(re-authentication will still work). Please correct me if anything wrong.